On Mon, Jan 22, 2007 at 04:52:53PM +0200, WireSpot wrote: > Can anyone recommend a piece of software that will watch a file or a > directory and tell me what processes mess with the files in there? In > particular, I'd like it to react when a file is removed. > > I tried dnotify but it only tells me that it happened, after it > happened, not who did it. > > I need this because on this one Debian testing server I have a problem > that's driving me mad: something comes around and periodically removes > files from /var dirs, making certain services crash and burn: Samba > tdb files, Apache SSL mutex, MySQL and Postgres runtime files and so > on. And I can't figure out who the hell is doing that.
If it were me and I didn't know any better, I'd suspect a security breach until proved otherwise. I'm assuming that you haven't been running something like samhain from day one. Look at when this problem started in relation to when a package got installed. As far as 'who' is doing this, I would guess that the only user with the privledge to do this is root. The problem of processes is that they come and go. You can look at all the running processes in /proc and examine all the command lines and environments but it may not help. To clarify, how do you mean "periodically"? Do you mean periodically like a cron job, or at random intervals (occasionally)? Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]